CVE-2024-3651
Denial-of-service vulnerability in idna (PyPI)
What is CVE-2024-3651 About?
This denial-of-service vulnerability occurs in the `idna.encode()` function when processing specially crafted arguments. It can lead to significant resource consumption, impacting system availability. Exploitation requires sending an arbitrarily large input to the function.
Affected Software
- idna
- <1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
- <3.7
- >0.1, <3.7
Technical Details
The vulnerability resides within the idna.encode() function, where a specially crafted argument can cause an excessive consumption of system resources. This occurs when the function attempts to process inputs of arbitrary length that are not constrained by typical domain name length limits. An attacker can provide an exceptionally large string to the idna.encode() function, which, due to an inefficient processing mechanism for such oversized inputs, leads to a resource exhaustion state, effectively creating a denial-of-service for the application calling this function. This is particularly problematic in scenarios where higher-level applications do not enforce preliminary input validation on the length of domain names before passing them to the library.
What is the Impact of CVE-2024-3651?
Successful exploitation may allow attackers to cause the system to consume excessive resources, leading to a denial of service and disrupting normal application operations.
What is the Exploitability of CVE-2024-3651?
Exploitation complexity is moderate. There are no specific authentication or privilege requirements for this vulnerability; any process that can submit data to idna.encode() can trigger the DoS. It is typically a remote vulnerability if the function is exposed via a network service. The special condition is the ability to provide an arbitrarily large string as input to the idna.encode() function, bypassing any typical domain length constraints. Risk factors are increased when applications fail to implement input validation for domain name lengths before passing them to the library, allowing unusually large inputs to be processed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-3651?
Available Upgrade Options
- idna
- >0.1, <3.7 → Upgrade to 3.7
- idna
- <1d365e17e10d72d0b7876316fc7b9ca0eebdd38d → Upgrade to 1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
- https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
- https://osv.dev/vulnerability/PYSEC-2024-60
- https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
- https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
- https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
- https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml
- https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
- https://nvd.nist.gov/vuln/detail/CVE-2024-3651
- https://osv.dev/vulnerability/GHSA-jjg7-2v4v-x38h
What are Similar Vulnerabilities to CVE-2024-3651?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2022-21703 , CVE-2021-4122 , CVE-2020-8012 , CVE-2019-10023
